Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixes #1410 check on user input to prevent SQL injection
  • Loading branch information
plegall committed May 13, 2021
1 parent fbb489b commit 2ce1e59
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion admin/user_list_backend.php
Expand Up @@ -65,7 +65,7 @@
$sOrder = "ORDER BY ";
$i = 0;
$col = $_REQUEST["order"][0]["column"];
if ( $_REQUEST['columns'][$col]["searchable"] == "true" )
if ( $_REQUEST['columns'][$col]["searchable"] == "true" and preg_match('/^(asc|desc)$/i', $_REQUEST["order"][0]["dir"]))
{
$sOrder .= $aColumns[ $col ].' '.$_REQUEST["order"][0]["dir"].', ';
}
Expand Down

1 comment on commit 2ce1e59

@nu11secur1ty
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job. =)
if ( $_REQUEST['columns'][$col]["searchable"] == "true" and preg_match('/^(asc|desc)$/i', $_REQUEST["order"][0]["dir"]))

Please sign in to comment.